[00:10.960 --> 00:14.640]  Hello everyone, thank you for attending my virtual presentation.
[00:14.980 --> 00:20.800]  So, I am Guy, I'm a master's student from EPFL and ETH Zurich in Switzerland,
[00:20.800 --> 00:25.020]  and I've been working with Arma Suisse on privacy in general aviation,
[00:25.020 --> 00:29.800]  and most particularly on the recent attempt from the FAA in the US.
[00:30.460 --> 00:33.520]  First, why do we need privacy in general aviation?
[00:33.660 --> 00:38.360]  In the recent years, a lot of articles underline privacy issues in general aviation.
[00:38.360 --> 00:42.720]  For instance, it would be possible to predict a company merchant acquisition
[00:42.720 --> 00:47.700]  by tracking a company aircraft, as demonstrated in the Bloomberg article.
[00:48.220 --> 00:52.320]  It is also possible to track diplomats' trips to a foreign country,
[00:52.320 --> 00:56.520]  which is of course not desirable, or to track the use of corporate checks.
[00:57.120 --> 01:00.520]  Furthermore, I guess that pilots just don't want to be tracked when flying,
[01:00.520 --> 01:04.720]  so that's why a privacy policy is needed in general aviation.
[01:04.720 --> 01:10.340]  But before diving into the actual policy, I will quickly introduce aircraft communications.
[01:10.780 --> 01:16.080]  Aircraft need to be identifiable at all times when flying for obvious security reasons.
[01:16.700 --> 01:19.880]  So, first it can be identified by the tail number,
[01:19.880 --> 01:23.340]  which is the unique registration by the national authority,
[01:23.340 --> 01:28.720]  it's also called N number in the US, and this number can never be changed.
[01:29.460 --> 01:33.900]  So, that is the number that is usually printed at the back of the aircraft or on the tail.
[01:35.040 --> 01:40.650]  Aircraft can also be identified by their ICAO address, which is a 24-bit transponder ID,
[01:41.140 --> 01:45.700]  that is assigned by the International Civil Aviation Organization.
[01:46.080 --> 01:52.000]  And there is a direct translation between the tail number and the ICAO address in the US.
[01:52.000 --> 01:57.660]  So, if you're interested, I wrote a converter that is available on my GitHub.
[01:58.900 --> 02:04.500]  And aircraft can also be identified by their callsign, which is a unique flight identifier,
[02:04.500 --> 02:07.960]  and it can be changed for each flight. And, for instance,
[02:07.960 --> 02:12.800]  private aircraft often use their tail number as a callsign.
[02:13.540 --> 02:18.720]  Aircraft use ADS-B, standing for Automatic Dependent Surveillance Broadcast,
[02:18.720 --> 02:22.680]  to communicate with the ground station and with other aircraft.
[02:22.840 --> 02:28.380]  ADS-B equipment is mandatory in many countries, such as the US, Australia, and European countries.
[02:28.380 --> 02:33.940]  I will not explain in detail how ADS-B operates, but what we need to know is that,
[02:33.940 --> 02:39.760]  aircraft broadcast twice-a-second information, such as their position, velocity, etc.
[02:39.940 --> 02:45.260]  And these broadcasts are identified by the ICAO address and the callsign of the aircraft.
[02:45.380 --> 02:50.240]  Anyone equipped with a cheap software-defined radio can receive these broadcasts
[02:50.240 --> 02:53.160]  from a distance of 600 kilometers.
[02:54.180 --> 02:59.700]  Crowdsource networks try to cover large areas with antenna and software-defined radios,
[02:59.700 --> 03:06.920]  in order to get a global ADS-B coverage and make aircraft trajectories publicly available online.
[03:07.300 --> 03:10.960]  Using a crowdsource network, it is trivial to track an aircraft using
[03:10.960 --> 03:14.160]  only its ICAO address or its callsign.
[03:14.180 --> 03:18.020]  Aircraft can change their callsign for each flight, but not their ICAO address,
[03:18.020 --> 03:20.520]  so they are actually easy to track.
[03:20.920 --> 03:27.020]  So, this situation is a serious issue for aircraft and passenger privacy.
[03:27.020 --> 03:32.760]  Until recently, the only way aircraft operators could protect themselves from being tracked,
[03:32.760 --> 03:38.580]  was to ask kindly crowdsource networks to make tracking unavailable for the aircraft.
[03:38.580 --> 03:42.200]  But some crowdsource networks do not offer this service.
[03:43.020 --> 03:47.140]  Concerning these issues, the FAA published the following statement.
[03:47.400 --> 03:53.180]  FAA acknowledges the desire of some operators to limit the availability of real-time ADS-B
[03:53.180 --> 03:57.780]  position and identification information for a specific aircraft.
[03:57.780 --> 04:02.440]  To address privacy concerns, the FAA has initiated the Privacy ICAO Address Program
[04:02.920 --> 04:05.780]  to improve the privacy of eligible aircraft.
[04:06.920 --> 04:13.260]  So, this Privacy ICAO Address Program allows enrolled aircraft operators to periodically
[04:13.260 --> 04:16.700]  change their ICAO address, acting as a pseudonym.
[04:17.240 --> 04:20.540]  So, if the aircraft operator simultaneously changes
[04:20.540 --> 04:26.580]  their ICAO address and the callsign of the aircraft, it makes the aircraft harder to track.
[04:26.680 --> 04:32.340]  This program is unfortunately, at least for now, limited to aircraft registered in the US,
[04:32.340 --> 04:36.720]  using a specific ADS-B system and a third-party callsign,
[04:37.420 --> 04:41.200]  just for flights in the domestic US airspace.
[04:41.320 --> 04:47.120]  Which means that if an aircraft wants to fly abroad, it has to use its permanently
[04:47.120 --> 04:54.040]  assigned ICAO address and is automatically revealed to anyone that wishes to track it.
[04:54.520 --> 04:59.000]  In the first phase of the program, the FAA will monitor the program,
[04:59.000 --> 05:06.580]  and a new Privacy ICAO Address, or PIA, can be requested every 60 calendar days.
[05:06.580 --> 05:11.680]  And in the second phase, the program will be transitioned to third-party callsign providers,
[05:11.680 --> 05:21.300]  and the PIA change frequency will go down to 20 business days, or 28 calendar days, approximately.
[05:21.940 --> 05:27.480]  To illustrate the privacy improvement, we show an aircraft identified by its ICAO address landing
[05:27.480 --> 05:34.020]  at an airport. On ground, at the airport, the operator will request a new Privacy ICAO address
[05:34.620 --> 05:39.860]  and program it into the aircraft transponder and change the aircraft callsign before its next
[05:39.860 --> 05:47.260]  flight. So an adversary can observe that an aircraft with ICAO address A12345 arrived at the
[05:47.260 --> 05:54.960]  airport, and that another aircraft with ICAO address is ABCDEF left the airport later on.
[05:54.960 --> 06:01.540]  If the aircraft is the only one that stay at the airport for the given time frame, then identifying
[06:01.540 --> 06:08.760]  that A12345 and ABCDEF is actually the same aircraft is trivial. But if multiple aircraft
[06:08.760 --> 06:13.620]  enrolled in the PIA program are changing their ICAO address in the same airport during the same
[06:13.620 --> 06:19.500]  time period, it is not possible to link accurately aircraft arriving at the airport with aircraft
[06:19.500 --> 06:27.500]  leaving the airport. So the best attack is in fact to take a random guess. So in order to maximize
[06:27.500 --> 06:33.480]  the privacy of aircraft using this scheme, we need to maximize the number of aircraft using a PIA
[06:34.100 --> 06:40.440]  and using the same callsign provider changing their PIA simultaneously at the very same airport.
[06:40.440 --> 06:46.940]  So that's a lot of conditions, a lot of parameters that can influence the privacy level, and we're
[06:46.940 --> 06:55.100]  going to discuss that in details. So here is the bigger picture of the ideal system where all
[06:55.100 --> 07:02.000]  aircraft change their identifier for each flight without any side channel information. So a global
[07:02.000 --> 07:10.040]  adversary can observe the flights, but it is hard to link accurately a flight from a given aircraft.
[07:10.700 --> 07:17.220]  You cannot distinguish aircraft when they are flying if they change their ICAO address and
[07:17.220 --> 07:25.240]  callsign at each stop. So this results actually in an asynchronous free route mixed net
[07:25.240 --> 07:28.740]  where all aircraft stay inside the mixed net forever.
[07:30.860 --> 07:37.200]  In order to quantify privacy performance of such a system, we will look at its traceability index
[07:37.200 --> 07:41.900]  which is defined as the expected ratio of successfully tracked aircraft over time.
[07:41.900 --> 07:46.440]  Here is an example. Time is represented on the x-axis and traceability index
[07:46.440 --> 07:54.000]  of the system is represented on the y-axis. And the traceability index of this example system
[07:54.000 --> 07:58.200]  after 150 days is 50.3 percent.
[07:59.020 --> 08:05.300]  From the beginning of the year, we observed the US airspace through the crowdsource network
[08:05.300 --> 08:12.300]  OpenSky networks and detected that 16 aircraft are using a PIA address. Nine of them are using
[08:12.480 --> 08:19.060]  a DCM callsign and seven of them are using a FFL callsign. Those are two distinct sets of aircraft.
[08:19.060 --> 08:25.220]  We observed aircraft changing their IKO address to a PIA and some of them didn't even update
[08:25.220 --> 08:31.160]  their callsign. So that's trivial to track them even if they wanted to enroll to this privacy
[08:32.020 --> 08:39.640]  program. So we did not observe any PIA change although some operators have been using the PIA
[08:39.640 --> 08:46.880]  for much more than 60 days. We observed that all IKO addresses that we suspected to be PIAs
[08:47.480 --> 08:57.420]  are in the N number range from N41000 to N42. And that 1062 official FIA registration
[08:57.420 --> 09:07.640]  looked like the one on the right. So that is reserved with no fee on the 10-03-2019
[09:08.160 --> 09:15.480]  by the SBS program office. And I will now explain and attack on how to track aircraft
[09:15.480 --> 09:22.320]  enrolled in the PIA program. So the first step is obviously to identify a target aircraft
[09:22.320 --> 09:28.360]  enrolled in this program. Then we need to associate the privacy IKO address with an actual
[09:28.360 --> 09:35.340]  aircraft registration. And finally we need to monitor every PIA change of this aircraft.
[09:35.760 --> 09:40.740]  To detect an aircraft using a PIA we first look for flights using an IKO address
[09:41.560 --> 09:48.500]  in this given range. So the hexadecimal range. And then we check in the FIA registry
[09:49.100 --> 09:55.400]  if the associated N number is reserved with no fee by the SBN program office.
[09:55.400 --> 10:00.080]  And if it is the case then we're almost sure that this aircraft is using a PIA.
[10:01.100 --> 10:06.320]  After we identify the target aircraft we need to find its original registration.
[10:06.320 --> 10:12.420]  To reach that goal we need to find the very first flight where the privacy IKO address PIA1
[10:12.420 --> 10:19.160]  was used. So that is our target PIA. So in our example as the flight departs from Chicago
[10:19.660 --> 10:24.620]  we need to find all aircraft that landed at the very same airport in Chicago before the departure
[10:24.620 --> 10:30.060]  of the red flight. So these aircraft are the candidates and we need to eliminate all of them
[10:30.060 --> 10:38.000]  but one. For instance after the departure of the red flight an aircraft which is also identified
[10:38.680 --> 10:44.560]  by the address IKO1 is observed leaving Chicago. So this aircraft is eliminated.
[10:45.400 --> 10:51.520]  Then the aircraft identified by the IKO address IKO2 is observed flying back to its origin. So
[10:51.520 --> 10:57.440]  there is only one candidate left which is our target aircraft that changed its IKO address
[10:57.440 --> 11:08.480]  from IKO3 to PIA1. So we detected the IKO address change. Once we know IKO3 we look for the
[11:08.480 --> 11:14.240]  associated N number. So we do the translation and we look for the associated N number in the FIA
[11:14.240 --> 11:20.300]  registry to find the actual aircraft registration containing all of the owner's details like the
[11:20.300 --> 11:27.960]  address and everything. And so once we have the actual aircraft registration we only need to
[11:27.960 --> 11:33.460]  monitor the PIA change which is essentially the same operation as described previously.
[11:34.220 --> 11:39.580]  Note that if multiple aircraft are changing their PIA at the same airport during the same time
[11:39.580 --> 11:46.460]  period we have to select one at random and the tracking may be inaccurate. But it is also possible
[11:46.460 --> 11:51.860]  to observe flying patterns of the possible candidates to increase the probability to
[11:51.860 --> 11:57.580]  select the correct aircraft according to its pattern after the change.
[11:58.440 --> 12:04.500]  We built a simulator to help us predict how the PIA program would scale if significantly more
[12:04.500 --> 12:09.840]  aircraft joined it. This simulator takes as parameter a number of aircraft, a number of
[12:09.840 --> 12:17.480]  airports, the average aircraft flight frequency, the PIA change frequency and also the simulation
[12:17.480 --> 12:24.260]  duration. So once the simulation starts an aircraft will be picked at random and will fly to
[12:24.400 --> 12:30.100]  a random airport. And then another aircraft would be chosen at random flying to another airport
[12:30.750 --> 12:39.300]  and so on. So as the trajectories are random the simulator is not totally realistic but it provides
[12:39.600 --> 12:46.460]  a lower bound to the traceability index as a random flight maximizes the entropy of the system.
[12:46.540 --> 12:53.880]  The simulator is available on github if you want to check it out. And we implemented the previously
[12:53.880 --> 13:02.090]  described attack to show the performance when we make varied simulator parameters.
[13:03.320 --> 13:08.760]  On this graph we see the traceability index curve for a set of 200 aircraft and 100 are
[13:08.760 --> 13:15.320]  over a year where aircraft update their PIA respectively every 60 calendar days as is phase
[13:15.320 --> 13:21.980]  one of the program so that's the green curve. 20 business days which is 28 calendar days so that's
[13:21.980 --> 13:27.800]  the orange curve for phase two of the program and every 10 day in blue that is just to show
[13:27.800 --> 13:33.500]  difference. So we see that after a year the traceability index of the 60 days frequency
[13:34.300 --> 13:42.140]  update is at 30 percent whereas the score is the same score is reached after only 101 days
[13:42.140 --> 13:51.660]  and 37 days for the 28 and 10 days PIA update frequency. So updating the aircraft PIA as
[13:51.660 --> 13:57.760]  often as possible gets the best privacy for the system.
[13:58.400 --> 14:05.120]  And now we make the aircraft fleet size vary while keeping the PIA update frequency to 28 days.
[14:05.120 --> 14:12.380]  So a fleet is a set of aircraft using a PIA and the same cosine space so all of the aircraft
[14:12.380 --> 14:18.920]  are using a DCM cosine or all of them are using a FFL cosine. So we go from a fleet of
[14:19.820 --> 14:26.820]  50 aircraft in blue to a fleet of 500 aircraft in red and we see that the traceability index
[14:26.820 --> 14:35.300]  after 150 days go from 87.9 percent for the 50 aircraft fleet down to only 1.5 percent for the
[14:35.300 --> 14:41.620]  500 aircraft fleet. So these curves really show that maximizing the number of aircraft
[14:41.620 --> 14:47.460]  for a fixed set of airports and minimizes the traceability index of the system which is what we
[14:47.460 --> 14:56.700]  want. Some obvious improvement to the PIA program would be to add an international pole IC so that
[14:56.700 --> 15:02.320]  aircraft do not need to use their permanently assigned ICAO address when flying abroad because
[15:02.320 --> 15:12.140]  that reveals their position but also which PIA they used in the past and so it would be easier
[15:12.140 --> 15:22.780]  to track all of their flight history until the moment they flew abroad. And it would be also good
[15:22.780 --> 15:31.880]  to make all ADSP equipped aircraft eligible to enroll in this program in order to maximize the
[15:31.880 --> 15:39.500]  the number of aircraft. And all aircraft using a PIA should use the same cosine range which is not
[15:39.500 --> 15:46.420]  the case currently as you can use the program with a DCM and FFL cosine so that makes two
[15:46.420 --> 15:55.900]  distinct sets of aircraft and one for each cosine providers. As the privacy is maximized when
[15:55.900 --> 16:01.200]  aircraft change their PIA as often as possible, a major improvement to the program would be to allow
[16:01.200 --> 16:07.980]  aircraft to update their PIA for each flight. This gives us the best theoretical privacy performance
[16:07.980 --> 16:15.300]  without modifying aircraft trajectories. But it comes at a price so it introduces extra work for
[16:15.300 --> 16:21.440]  the administration that has to keep track of all PIA changes and it takes extra effort for aircraft
[16:21.440 --> 16:30.060]  operator to program the new PIA before each flight. So on this graph we can see the traceability index
[16:30.060 --> 16:38.140]  reached by a PIA change for each flight in green compared to the traceability index of the program
[16:38.140 --> 16:44.660]  in phase one and two in orange and blue. And we can see that the so the current PIA program is still
[16:44.660 --> 16:54.140]  very far from the best possible performance. Another major possible improvement is to make
[16:54.140 --> 17:00.040]  all aircraft change their PIA simultaneously. This method would consist in making all aircraft owner
[17:00.040 --> 17:06.880]  update their PIA on or before the first flight after a given day. This would help maximizing
[17:06.880 --> 17:12.620]  the number of aircraft updating their PIA during the same time period at the same airport as they
[17:12.620 --> 17:18.440]  all update their PIA at the same time. This strategy would cause no extra cost for the
[17:18.440 --> 17:25.300]  administration as there would be the exact same number of changes and could even be adopted without
[17:25.300 --> 17:31.980]  any official changes in the program if for instance a group of aircraft operators agree on the dates
[17:31.980 --> 17:38.780]  at which they will update their PIA. The drawback of this method is that privacy performance is still
[17:38.780 --> 17:45.140]  far from the theoretical maximum but it's still better than in the regular PIA policy.
[17:45.780 --> 17:52.420]  So this graph represents the traceability index curve of the 28 days update policy with the PIA
[17:52.420 --> 17:58.740]  update uniformly distributed in blue. 28 days policy where all aircraft update their PIA
[17:58.740 --> 18:04.880]  simultaneously in orange and in green the best theoretical performance where their aircraft
[18:04.880 --> 18:11.220]  change their PIA for each flight. So we observe a major improvement for the simulation update policy
[18:12.000 --> 18:18.940]  compared with the uniformly distributed one. For instance after 150 days the traceability index
[18:18.940 --> 18:27.140]  goes from 56.9 percent in the regular PIA down to 31.3 in the enhanced version.
[18:27.600 --> 18:33.180]  To conclude this presentation we showed that the PIA program makes it slightly harder to track
[18:33.180 --> 18:38.600]  aircraft using ADS-B data from crowdsourced networks. It just makes it more annoying to
[18:38.600 --> 18:44.460]  retrace from a privacy IKO address back to the aircraft owner but it's still possible so in a
[18:44.460 --> 18:50.340]  sense the PIA program does not really meet its privacy goal. We show with the simulator that
[18:50.340 --> 18:55.680]  even with a much larger number of aircraft using a PIA we can still track a large proportion of
[18:55.680 --> 19:01.900]  them over time even if they update their PIA as often as possible. And we propose two concrete
[19:01.900 --> 19:07.940]  solutions to improve the privacy in the PIA program. So if you want more details about our
[19:07.940 --> 19:14.920]  work please make sure to check out our paper when it's out. And finally my take-home message is if
[19:14.920 --> 19:20.380]  you get to use this program please make sure to update your privacy IKO address as often as possible
[19:20.380 --> 19:24.240]  to increase your privacy level and others privacy level.
